[jira] [Updated] (CASSANDRA-15560) Change io.compressor.LZ4Compressor to LZ4SafeDecompressor
[ https://issues.apache.org/jira/browse/CASSANDRA-15560?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Brandon Williams updated CASSANDRA-15560: - Source Control Link: https://github.com/apache/cassandra/commit/6a42c21cb3e357caf4d7b2e8328f0f8f46f5269b Resolution: Fixed Status: Resolved (was: Ready to Commit) Nice detective work! I think you're right, and since that's the only problem I found, I committed this. Thanks! > Change io.compressor.LZ4Compressor to LZ4SafeDecompressor > - > > Key: CASSANDRA-15560 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15560 > Project: Cassandra > Issue Type: Improvement > Components: Feature/Compression >Reporter: Jordan West >Assignee: Berenguer Blasi >Priority: Normal > Fix For: 4.0, 4.0-rc > > Time Spent: 0.5h > Remaining Estimate: 0h > > CASSANDRA-15556 and related tickets showed that LZ4FastDecompressor can crash > the JVM and that LZ4SafeDecompressor performs better w/o the crash risk — its > also not deprecated. While we protect ourselves by checksumming the > compressed data but that doesn’t mean we should leave deprecated code that > can segfault the jvm (providing a potential DDOS vector among other things) > in crucial places like io.compress. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Updated] (CASSANDRA-15560) Change io.compressor.LZ4Compressor to LZ4SafeDecompressor
[ https://issues.apache.org/jira/browse/CASSANDRA-15560?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Brandon Williams updated CASSANDRA-15560: - Status: Ready to Commit (was: Review In Progress) > Change io.compressor.LZ4Compressor to LZ4SafeDecompressor > - > > Key: CASSANDRA-15560 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15560 > Project: Cassandra > Issue Type: Improvement > Components: Feature/Compression >Reporter: Jordan West >Assignee: Berenguer Blasi >Priority: Normal > Fix For: 4.0, 4.0-rc > > Time Spent: 0.5h > Remaining Estimate: 0h > > CASSANDRA-15556 and related tickets showed that LZ4FastDecompressor can crash > the JVM and that LZ4SafeDecompressor performs better w/o the crash risk — its > also not deprecated. While we protect ourselves by checksumming the > compressed data but that doesn’t mean we should leave deprecated code that > can segfault the jvm (providing a potential DDOS vector among other things) > in crucial places like io.compress. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Updated] (CASSANDRA-15560) Change io.compressor.LZ4Compressor to LZ4SafeDecompressor
[ https://issues.apache.org/jira/browse/CASSANDRA-15560?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Berenguer Blasi updated CASSANDRA-15560: Status: Review In Progress (was: Changes Suggested) > Change io.compressor.LZ4Compressor to LZ4SafeDecompressor > - > > Key: CASSANDRA-15560 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15560 > Project: Cassandra > Issue Type: Improvement > Components: Feature/Compression >Reporter: Jordan West >Assignee: Berenguer Blasi >Priority: Normal > Fix For: 4.0, 4.0-rc > > Time Spent: 0.5h > Remaining Estimate: 0h > > CASSANDRA-15556 and related tickets showed that LZ4FastDecompressor can crash > the JVM and that LZ4SafeDecompressor performs better w/o the crash risk — its > also not deprecated. While we protect ourselves by checksumming the > compressed data but that doesn’t mean we should leave deprecated code that > can segfault the jvm (providing a potential DDOS vector among other things) > in crucial places like io.compress. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Updated] (CASSANDRA-15560) Change io.compressor.LZ4Compressor to LZ4SafeDecompressor
[ https://issues.apache.org/jira/browse/CASSANDRA-15560?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Brandon Williams updated CASSANDRA-15560: - Status: Changes Suggested (was: Review In Progress) Your CI runs were a little noisy (timeouts, etc) so I ran with a beefier config and it looks like you broke the test_compression_cql_options test: https://app.circleci.com/pipelines/github/driftx/cassandra/27/workflows/896fefed-5707-4da0-882d-ca5a29abab58/jobs/177 It may be that the test just needs to be updated. > Change io.compressor.LZ4Compressor to LZ4SafeDecompressor > - > > Key: CASSANDRA-15560 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15560 > Project: Cassandra > Issue Type: Improvement > Components: Feature/Compression >Reporter: Jordan West >Assignee: Berenguer Blasi >Priority: Normal > Fix For: 4.0, 4.0-rc > > Time Spent: 0.5h > Remaining Estimate: 0h > > CASSANDRA-15556 and related tickets showed that LZ4FastDecompressor can crash > the JVM and that LZ4SafeDecompressor performs better w/o the crash risk — its > also not deprecated. While we protect ourselves by checksumming the > compressed data but that doesn’t mean we should leave deprecated code that > can segfault the jvm (providing a potential DDOS vector among other things) > in crucial places like io.compress. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Updated] (CASSANDRA-15560) Change io.compressor.LZ4Compressor to LZ4SafeDecompressor
[ https://issues.apache.org/jira/browse/CASSANDRA-15560?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Brandon Williams updated CASSANDRA-15560: - Reviewers: Brandon Williams, Brandon Williams (was: Brandon Williams) Brandon Williams, Brandon Williams Status: Review In Progress (was: Patch Available) > Change io.compressor.LZ4Compressor to LZ4SafeDecompressor > - > > Key: CASSANDRA-15560 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15560 > Project: Cassandra > Issue Type: Improvement > Components: Feature/Compression >Reporter: Jordan West >Assignee: Berenguer Blasi >Priority: Normal > Fix For: 4.0, 4.0-rc > > Time Spent: 0.5h > Remaining Estimate: 0h > > CASSANDRA-15556 and related tickets showed that LZ4FastDecompressor can crash > the JVM and that LZ4SafeDecompressor performs better w/o the crash risk — its > also not deprecated. While we protect ourselves by checksumming the > compressed data but that doesn’t mean we should leave deprecated code that > can segfault the jvm (providing a potential DDOS vector among other things) > in crucial places like io.compress. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Updated] (CASSANDRA-15560) Change io.compressor.LZ4Compressor to LZ4SafeDecompressor
[ https://issues.apache.org/jira/browse/CASSANDRA-15560?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Berenguer Blasi updated CASSANDRA-15560: Test and Documentation Plan: CI runs attached to PR Status: Patch Available (was: In Progress) > Change io.compressor.LZ4Compressor to LZ4SafeDecompressor > - > > Key: CASSANDRA-15560 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15560 > Project: Cassandra > Issue Type: Improvement > Components: Feature/Compression >Reporter: Jordan West >Assignee: Berenguer Blasi >Priority: Normal > Fix For: 4.0, 4.0-rc > > Time Spent: 20m > Remaining Estimate: 0h > > CASSANDRA-15556 and related tickets showed that LZ4FastDecompressor can crash > the JVM and that LZ4SafeDecompressor performs better w/o the crash risk — its > also not deprecated. While we protect ourselves by checksumming the > compressed data but that doesn’t mean we should leave deprecated code that > can segfault the jvm (providing a potential DDOS vector among other things) > in crucial places like io.compress. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Updated] (CASSANDRA-15560) Change io.compressor.LZ4Compressor to LZ4SafeDecompressor
[ https://issues.apache.org/jira/browse/CASSANDRA-15560?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jordan West updated CASSANDRA-15560: Fix Version/s: 4.0 > Change io.compressor.LZ4Compressor to LZ4SafeDecompressor > - > > Key: CASSANDRA-15560 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15560 > Project: Cassandra > Issue Type: Improvement > Components: Feature/Compression >Reporter: Jordan West >Assignee: Jordan West >Priority: Normal > Fix For: 4.0, 4.0-rc > > > CASSANDRA-15556 and related tickets showed that LZ4FastDecompressor can crash > the JVM and that LZ4SafeDecompressor performs better w/o the crash risk — its > also not deprecated. While we protect ourselves by checksumming the > compressed data but that doesn’t mean we should leave deprecated code that > can segfault the jvm (providing a potential DDOS vector among other things) > in crucial places like io.compress. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Updated] (CASSANDRA-15560) Change io.compressor.LZ4Compressor to LZ4SafeDecompressor
[ https://issues.apache.org/jira/browse/CASSANDRA-15560?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jordan West updated CASSANDRA-15560: Change Category: Quality Assurance Complexity: Low Hanging Fruit Fix Version/s: 4.0-rc Status: Open (was: Triage Needed) > Change io.compressor.LZ4Compressor to LZ4SafeDecompressor > - > > Key: CASSANDRA-15560 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15560 > Project: Cassandra > Issue Type: Improvement > Components: Feature/Compression >Reporter: Jordan West >Assignee: Jordan West >Priority: Normal > Fix For: 4.0-rc > > > CASSANDRA-15556 and related tickets showed that LZ4FastDecompressor can crash > the JVM and that LZ4SafeDecompressor performs better w/o the crash risk — its > also not deprecated. While we protect ourselves by checksumming the > compressed data but that doesn’t mean we should leave deprecated code that > can segfault the jvm (providing a potential DDOS vector among other things) > in crucial places like io.compress. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org